When you think about vulnerability management, what comes to mind? If you’re like most companies, you think only about technology and tools. Unfortunately, this is where most get it wrong. Here at Rapid7, we have worked with companies of all shapes and sizes and witnessed firsthand their struggles when it comes to vulnerability management. If you are having difficulties in this area, you are not alone.

In our latest webcast, we explain why most vulnerability management programs fail and what you can do to avoid the same fate. Access the full webcast training for the steps you need to take to improve your program, and see our brief recap below:

[Webcast] Why Vulnerability Management Programs Fail and What You Can Do About It.

Back to basics

First things first, the purpose of a vulnerability management program is to reduce risk within your environment. You cannot fix what you don’t know is present, and by properly identifying risk, you can get a better hold on your security posture. Vulnerability management is so important today that it was actually moved up to CIS Version 7 Control 3 to ensure organizations address it early on.

It is important to begin your vulnerability management program by conducting a baseline assessment to understand your current risk level. It’s equally vital to understand your organization’s risk appetite. Leadership should be involved here to help determine the level of risk your company is and isn’t willing to accept so you can tailor your vulnerability management program accordingly.

What a successful vulnerability management program is—and isn’t

A successful vulnerability management program isn’t just about having the best vulnerability management tool or service in place. While tooling is important, solely conducting vulnerability scans doesn’t mean you have a true program in place. Not nearly enough organizations take the time to carefully plan for what to scan, which leaves gaping holes in vulnerability identification. This often comes from a lack of understanding what needs to be scanned. Watch the on-demand webcast to see exactly what you should be scanning.

Running an effective vulnerability assessment program also means having leadership on board and the resources you need. If you do not have leadership on your side or the necessary resources, you need to find out why. Is it a budget problem, or do you lack the support of your C-suite or board of directors? Without leadership support, security initiatives can fall flat, which leaves little incentive for the rest of the organization to prioritize security. This can also lead to issues between IT and security teams. If the security team runs the vulnerability management program and is sending issues to IT without leadership support, it can be difficult to get IT to take the program seriously.

Additionally, without resources, it’s going to be next to impossible to identify vulnerabilities, assess their impact, then remediate them through patching and configurations. Identifying the vulnerabilities is often the easy part, while finding the time and resources to fix them can be much more challenging and time-consuming.

Vulnerability management as a security best practice

In many ways, vulnerability management is a foundational element of any security program. The goal is to reduce risk, which will benefit every security initiative.

In the webcast, we dive into the vulnerability management lifecycle, detailing where companies go wrong at each of the 10 steps and what you can do to fix it.

Specifically, we explain how to overcome the most common missteps in the following areas:

Governance

Operations

Asset management

Scanning accounts

Scope definition

Classification and prioritization

Change management

Remediation

Verification

Reporting

These 10 steps lay the foundation for success in any well-rounded program. They establish the right tooling to scan and patch vulnerabilities, aid in handling exceptions, define remediation strategies, and measure progress, among other tasks. The rest of the chain of events can fall apart if any one of these is done haphazardly or without oversight.

When you view vulnerability management as more than just a scanning or patching tool and actually take the time to build a successful foundation that involves policies, procedures, change management, and so on, you not only set up your vulnerability management program for success, but also your entire security program.

At Rapid7, we believe that cybersecurity within a company is not just a function with many stakeholders, but rather a shared responsibility among all employees, regardless of role. We have performed hundreds of cybersecurity maturity assessments (CSMAs) for our customers over the years, and one of the main things we continuously find is that the security team is often tasked with things that would be better assigned to IT and business leadership. Those responsibilities include everything from accepting risk on behalf of the business to technical tasks such as implementing patches on production systems. These functions are often assigned to the cybersecurity team because risk is something that many businesses still do not fully understand and IT staff are often overwhelmed with administrative responsibilities.

While we routinely see these practices in place due to their perceived necessity, we aim to help our customers look past how they are performing cybersecurity tasks today, and instead define a future where the responsibilities are distributed so that cyber-risk becomes a board-level discussion. This need for evolution in cybersecurity practices is best illustrated by our 2018 "Under the Hoodie" report. This report analyzes 268 penetration testing service engagements we performed from early September of 2017 through mid-June of 2018, and identifies the common ways our professional hackers were able to breach a network. In short, attackers are constantly changing or recycling their tactics, but the motivations largely stay the same. This requires a cyber-program to constantly assess and manage the cyber-risk to their business and identify approaches that minimize exposure and potential impact.

To determine the future-state strategy and roadmap with our customers, we offer a comprehensive maturity assessment that aligns to the cybersecurity framework best suited for their industry and market vertical. The assessment is divided into phases that consist of a pre-engagement questionnaire, onsite interviews, offline documentation reviews, collaborative report writing, preliminary finding discussions, final reporting, and in many cases, executive/board briefings.

When complete, our customers receive a comprehensive product that includes a consumable component for an executive audience, a deep-dive review of the controls in place and their demonstrated effectiveness, along with a strategic roadmap that prioritizes the strategy based on a risk-to-cost-driven methodology.

Need help prioritizing your security initiatives and aligning them with your business? Our Advisory Services team is here to assist you.

Putting it to the test: The technical side of the Cybersecurity Maturity Assessment

Fact: This year’s "Under the Hoodie" report saw a significant increase in the rate that software vulnerabilities are exploited in order to gain control over a critical networked resource.

In order to understand successes or opportunities in an existing—or, in some cases, nonexistent—vulnerability management program, a fresh set of eyes and fresh scan data is the first step. This can help determine whether the vulnerability management program is truly effective. If there is already an established vulnerability management program in place, fresh data and perspective can help to gauge just how well previously identified vulnerabilities have been mitigated, and whether they were done so in accordance with your organization’s defined SLA.

Given that the responsibilities for remediation vary and that stakeholders are often geographically dispersed, it's paramount to ensure proper prioritization and remediation workflows—as well as long-term plans—are created and followed.

As part of our comprehensive Cybersecurity Maturity Assessment, Rapid7 will perform an external vulnerability scan of perimeter assets (up to a /24) instead of starting with old scan data. The output from this scanning helps our consultants determine whether your current vulnerability management program is truly effective at assessing your perimeter devices. Additionally, the vulnerability assessment helps determine the attack surface and threat landscape of the external perimeter hosts. From scanning your external hosts to determining whether the highest-ranked vulnerabilities are true risks relative to your environment, our consultants provide actionable information that helps you bolster your security posture and enhance the future state of your security program.

An assessment of your organization's security posture would not be complete without first inspecting the human element. It’s no secret that adversaries are often more successful at breaching perimeter defenses through social engineering than through traditional service or application exploitation. With this in mind, companies need to be vigil in their security training and awareness programs. (Recommended reading: “Socializing Security” in the "Under the Hoodie" report.) As security should have many stakeholders, it’s often hard to gauge just how well these training programs are working, and this awareness needs to come from the top down. Otherwise, it will falter at some point.

Rapid7’s Cybersecurity Maturity Assessment offering keeps this in mind by performing a light phishing exercise to help you visualize how susceptible a subset of your employees are to phishing attacks. While the attack is not a targeted and sophisticated phishing attack, it still gives an inside look into how likely users are to click enticing links and subsequently supply their credentials. Any interaction with a potentially malicious site should be taken with the utmost care, and submission of any information—including fake information—should never occur. Why? There could be other nefarious actions set to transpire after the submission of data, or even the click of a link.

Proper vulnerability management and user awareness training are critical to an organization's defense strategy. Rapid7’s consultants help to bridge the gap between security and business stakeholders, ensuring that security is an organization-wide concern, and not just an IT one.

Let our professional services team help you build or mature your security program today.

With 2018 now well in our sights, the countdown to the General Data Protection Regulation (GDPR)) is most definitely on. Articles 33 and 34 of the GDPR require organizations to communicate personal data breaches when there is a high risk of impact to the people to whom the data pertains. GDPR security requirements and breach notification go hand-in-hand, for obvious reasons. In the words of the European Commission Working Party 29 (the group who are tasked with clarifying the requirements of the GDPR): Article 32 of the GDPR “makes clear that the controller and processor should have appropriate technical and organizational measures in place to ensure an appropriate level of security of personal data: the ability to detect, address, and report a breach in a timely manner should be seen as essential elements of these measures. So in brief, if there's a good chance a breach would affect people's personal data, there's gotta be a comprehensive plan in place to address it—quickly. You can read more about Working Party 29’s guidelines on Data Breach Notifications here.

Traditional defenses are not geared toward detecting the more complex threats and exploits used in today’s sophisticated threat landscape. Moreover, attackers don’t just operate during business hours. And the longer an attacker goes undetected, the more potential there is for them to do damage. The answer for many organizations is to set up a Security Operations Center (SOC), but this can be a daunting and costly task. It takes a lot of time and money to build a SOC and to competently staff it around the clock. And that’s assuming you can find (and keep!) the right people.

There is another way.

Rapid7 Managed Detection and Response

Rapid7 Managed Detection and Response (MDR) Services, provides 24/7 incident detection and response. This makes it that much easier for organizations to tackle their detection and response needs without needing to invest in building and staffing a SOC themselves. Per the advice of Working Party 29, “a key element of any data security policy is being able, where possible, to prevent a breach and, where it nevertheless occurs, to react to it in a timely manner.” This is great, but to do it well is often beyond the budgetary means of many organizations. There is a terrible kickstarter pun just raring to go here, but let’s keep to the point.

This begs the question-- what’s included in Rapid7 MDR?

People, Process, Technology

Rapid7 built our Managed Detection and Response offering around people, process, and technology. The Rapid7 SOC is full of some of the finest talent in cyber security. They eat, sleep, and breathe alerts. When they finish up at work, many of them go to meetups on hacking. The technical people on the team average more than 10 years experience. They’ve worked for public and private sector organizations. Even the most junior analyst has seen over 300 threats and many breaches.

The backbone of the Rapid7 Managed Detection and Response Service is Rapid7 InsightIDR, for SIEM, User Behavior Analytics (UBA), and Endpoint Detection and Response (EDR), but we don’t just manage the technology for you. The team both hunts for threats and conducts investigations to understand what is going on in your environment. If a lead is a threat, and the threat is a live attacker, the team can easily pivot into incident response escalation mode. Two incident escalations are included annually with the service, so if the worst happens you know the experts have your back.

Prior to deploying Rapid7 MDR, the team conducts a compromise assessment and builds a threat profile for the organization.The threat profile enables understanding of user behavior within the organization so that it’s easier to spot anomalies and make better use of threat intelligence. The compromise assessment ensures that there is a clean environment prior to starting. In some cases, our team has done a compromise assessment and found issues that previous companies had missed.

Round the clock support

Rapid7 has security operations centers around the globe, where our analysts execute the 24/7/365 coverage. The combination of people, process, and technology makes it possible to better meet organization’s needs for GDPR, without the overhead of an in-house SOC.

Check out the GDPR toolkit for more information on how to get prepared for the upcoming regulation.

At the National Information Solutions Cooperative (NISC) Member Information Conference (MIC) on Wednesday, we were delighted to join Jeff Nelson, NISC’s Vice President of Information Security and Risk Management, to help announce their new offering: NISC CyberDetect. Building on our existing relationship with NISC (they offer vulnerability management services powered by Nexpose), NISC will now also provide Managed Detection and Response (MDR) services to its member base, powered by the Rapid7 Insight platform and Rapid7 Security Operation Centers (SOCs.)

NISC, a Rapid7 customer, provides technology solutions for its members who are companies in the utilities and telecommunications space. NISC has a deep understanding of the unique challenges its member organizations face and know the threats against these types of organizations are growing. According to the DBIR, for the Information industries including telecommunication, 97% of threat actors are external, many due to compromised credentials. In many cases these organizations are small, and they trust NISC to provide recommendations and services that fit their needs. Gartner highlights MDR as a “sweet spot” for smaller organizations as they figure out their detection and response investment strategy.

Rapid7 MDR, with InsightIDR and the Insight platform at its core, provides 24/7 detection and response services for organizations. Based in the Rapid7 SOCs, the MDR service team utilizes user behavior analytics, attacker behavior analytics, threat hunting, and threat intelligence to detect and respond in customer environments. The experienced team has seen and responded to thousands of breaches and threats, and has experience working with customers across many industries.

Our managed services, threat intelligence and research teams drive primary threat intelligence from a number of sources including incident response, Internet-wide scanning (Project Sonar), and our global honeypot network (Project Heisenberg). Additionally, Rapid7 develops Metasploit, the most widely-used penetration testing software in the world, which gives us an unparallelled understanding of the attacker mindset.

What does this look like in action? A recent example we were able to share publicly was when our threat intelligence team discovered that local radio station broadcasts were being hijacked. We leveraged our Sonar research and the intelligence it provided to quickly determine potentially vulnerable radio stations. We reached out to any customers in radio or television to let them know about the vulnerability, and provide details of the hijacking and recommendations on how to mitigate the vulnerability. We then shared our threat intelligence with a broadcasting industry association to ensure that non-Rapid7 customers were notified and educated too.

We are excited to work more closely with NISC’s members so that we can help more organizations make sense of the potentially millions of data points relevant to detection and response and help organizations take action. Many teams are overwhelmed when thinking about building a detection and response program—from finding and retaining talent to technology to process. We want to address those concerns so that companies can instead focus on doing what they do best. Our teams are constantly looking for industry trends so that we provide managed services, backed by the power of extensive research and a deep understanding of the threat landscape.